Detections
Analytics

CVE-2026-53084

medium

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: return VMA snapshot from task_vma iterator Holding the per-VMA lock across the BPF program body creates a lock ordering problem when helpers acquire locks that depend on mmap_lock: vm_lock -> i_rwsem -> mmap_lock -> vm_lock Snapshot the VMA under the per-VMA lock in _next() via memcpy(), then drop the lock before returning. The BPF program accesses only the snapshot. The verifier only trusts vm_mm and vm_file pointers (see BTF_TYPE_SAFE_TRUSTED_OR_NULL in verifier.c). vm_file is reference- counted with get_file() under the lock and released via fput() on the next iteration or in _destroy(). vm_mm is already correct because lock_vma_under_rcu() verifies vma->vm_mm == mm. All other pointers are left as-is by memcpy() since the verifier treats them as untrusted.

References

https://git.kernel.org/stable/c/83b8802c034e843b83a3e1ef6f30cdd4e9ec291c

https://git.kernel.org/stable/c/592226d138378601ae28eb890e2bbc23ec3600f7

https://git.kernel.org/stable/c/4cbee026db54cad39c39db4d356100cb133412b3

https://git.kernel.org/stable/c/13860ca37b8df0b856ee1ce3bdbd7c327d5f53e8

Details

Source: Mitre, NVD

Published: 2026-06-24

Updated: 2026-06-24

Risk Information

CVSS v2

Base Score: 6.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:N/A:C

Severity: Medium

CVSS v3

Base Score: 5.5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Severity: Medium

EPSS

EPSS: 0.00156